hi ik im supposed to report in the github thing but you dont actually have a security set up their
the bug is a arbitrary file read in the html importing function
POC :
i cant put the code whenever i try to put it , it crashes
so just open this html file using importer and you will get a file in attachments just change it from .png to .txt and you will be able to read the /etc/passwd
just disable the local files url